Resources
Everything you need to know
Company
Security and customers first
Close

Request a demo

Find out today the difference that Hicomply’s unique solution can make to your business.

Close

Thank you for your request

Success

In the meantime, connect with Hicomply for insights on authentication and fraud prevention

Close

ROI Calculator

See how much you could save with Hicomply

Hicomply feature Yearly saving
Automated scoping Easily scope your ISMS with the Hicomply platform
Asset register autogeneration A shorter learning curve for organisations and a simplified process
Risk assessment Autogenerate your risk register and risk treatment plan
Extended policy templates 90% of the essential are already written out of the box
Controls framework All controls are pre-loaded and already linked to the risks they mitigate
Task management Automate all actions, administration and setup time of your ISMS
Real time monitoring Understand status and progress across your ISMS with the Hicomply dashboard
Compliance & Training Your whole team, on the same page
Audit readiness Hicomply makes sure you have everything in place for your audit
Auditor access Give auditors a dedicated login to access and audit your ISM
Back to Resource Hub

SOC 2 Controls: CC6 Logical and Physical Access Controls

CC6.1

SOC 2 CC6.1 requires that your organisation implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet your organisation’s objectives.

CC6.1 highlights the following points of focus:

Identifies and Controls the Inventory of Information Assets

The organisation should recognise, inventory, categorise, and manage its information assets.

Restricts Logical Access

Logical access to information assets should be restricted through the use of access control software and rule sets. Assets include:

  • Hardware
  • Data (at-rest, throughout processing, or in transmission)
  • Software
  • Administrative authorities
  • Mobile devices
  • Output
  • Offline system elements.

Identifies and Validates Users

Individuals, infrastructure and software should be recognised and verified prior to being given access to information assets, whether locally or remotely.

Considers Network Segmentation

Network segmentation should permit disparate portions of your organisation’s information system to be isolated from one another.

Oversees Points of Access

Points of access by external bodies and the types of data that flow through the points of access should be recognised, inventoried, and controlled. The types of individuals and systems using each point of access should also be identified, documented, and controlled.

Limits Access to Information Assets

To establish access-control rules for information assets, combinations of the following should be used:

  • Data classification
  • Separate data structures
  • Port restrictions
  • Access protocol restrictions
  • User identification
  • Digital certificates.

Oversees Identification and Verification

Your organisation should establish, document and manage identification and authentication requirements for individuals and systems accessing organisational information, infrastructure, and software.

Manages Credentials for Infrastructure and Software

New internal and external infrastructure and software should be registered, authorised, and recorded prior to being given access credentials and implemented on the network or access point. When access is no longer required or the infrastructure and software are no longer in use, credentials should be removed and access disabled.

Uses Encryption to Protect Data

Your organisation should use encryption to support other measures used to protect data at rest, when such safeguards are considered necessary based on assessed risk.

Protects Encryption Keys

Procedures should be in place to safeguard encryption keys during creation, storage, use, and destruction.

CC6.2

SOC 2 CC6.2 requires that, prior to issuing system credentials and granting system access, your organisation registers and authorises new internal and external users whose access is administered by the entity. For those users whose access is administered by your organisation, user system credentials should be removed when user access is no longer authorised.

CC6.2 highlights the following points of focus:

Controls Access Credentials to Protected Assets

Information asset access credentials should be created based on an approval from the system's asset owner or authorised custodian.

Eliminates Access to Protected Assets When Applicable

Your organisation should put processes in place to remove credential access when an individual no longer requires such access.

Reviews Appropriateness of Access Credentials

The appropriateness of access credentials should be reviewed on a periodic basis to identify and remove any unnecessary or inappropriate individuals with credentials.

CC6.3

SOC 2 CC6.3 requires that your organisation authorises, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes. As part of this process, you should consider the concepts of least privilege and segregation of duties to meet the organisation’s objectives.

CC6.3 highlights the following points of focus:

Creates or Modifies Access to Protected Information Assets

Processes should be in place to create or alter access to protected information assets based on authorisation from the asset’s owner.

Removes Access to Protected Information Assets

Processes should be in place to remove access to protected information assets when an individual no longer requires access.

Uses Role-Based Access Controls

Role-based access control should be implemented to support the separation of incompatible functions.

Reviews Access Roles and Rules

The suitability of access roles and access rules should be reviewed periodically for unnecessary and inappropriate individuals with access. Access rules should be altered as applicable.

CC6.4

SOC 2 CC6.4 requires that your organisation restricts physical access to facilities and protected information assets (for example, data centre facilities, backup media storage, and other sensitive locations) to authorised personnel to meet your organisation’s objectives.

CC6.4 highlights the following points of focus:

Creates or Alters Physical Access

Processes should be in place to create or modify physical access to your organisation’s facilities, such as data centres, office spaces, and work areas, based on authorisation from the system's asset owner.

Eliminates Physical Access

Processes should be in place to remove access to physical resources when a person or entity no longer requires access.

Evaluates Physical Access

Processes should be put in place to periodically review physical access to ensure consistency with roles and duties.

CC6.5

SOC 2 CC6.5 requires that your organisation discontinues logical and physical protections over physical assets only after the ability to read or recover data and software from those assets has been diminished and is no longer required to meet your objectives.

CC6.5 highlights the following points of focus:

Detects Data and Software for Disposal

Procedures should be in place to identify data and software stored on equipment to be disposed of, and to make such data and software unreadable.

Removes Data and Software From Organisational Control

Procedures should be in place to remove data and software stored on equipment from the physical control of your organisation and to render said data and software unreadable.

CC6.6

SOC 2 CC6.6 requires that your organisation implements logical access security measures to protect against threats from sources outside your system boundaries.

CC6.6 highlights the following points of focus:

Restricts Access

The types of activities that can take place through a communication channel (for example, FTP site, router port) should be restricted.

Protects Identification and Validation Credentials

Identification and validation credentials should be protected during transmission outside your organisation’s system boundaries.

Requires Additional Authentication or Credentials

Further authentication information or credentials should be required when accessing the system from outside its boundaries.

Implements Boundary Protection Systems

Boundary protection systems (e.g. firewalls, demilitarised zones, and intrusion detection systems) should be put in place to protect external access points from attempts and unauthorised access, and are monitored to detect such attempts.

CC6.7

SOC 2 CC6.7 requires that your organisation restricts the transmission, movement, and removal of information to authorised internal and external users and processes, and protects it during transmission, movement, or removal to meet your organisational objectives.

CC6.7 highlights the following points of focus:

Restricts the Ability to Perform Transmission

Data loss prevention procedures and technologies should be used to restrict ability to authorise and execute transmission, movement, and/or removal of information.

Uses Encryption Technologies or Secure Communication Channels to Protect Data

Encryption technologies or secured communication channels should be used to protect transmission of data and other communications beyond connectivity access points.

Protects Removal Media

Encryption technologies and physical asset protections should be used for removable media, e.g. USB drives and backup tapes, as necessary.

Protects Mobile Devices

Processes should be in place to safeguard mobile devices (e.g. laptops, smart phones, and tablets) that serve as information assets.

CC6.8

SOC 2 CC6.8 requires that your organisation implements controls to prevent or detect and act upon the introduction of unauthorised or malicious software to meet your organisation’s objectives.

CC6.8 highlights the following points of focus:

Restricts Application and Software Installation

The ability to install applications and software should be limited to authorised individuals.

Detects Unauthorised Changes to Software and Configuration Parameters

Processes should be put in place to detect changes to software and configuration parameters that may indicate unauthorised or malicious software.

Uses a Defined Change Control Process

A management-defined change control process should be used for the implementation of software.

Uses Antivirus and Anti-Malware Software

Antivirus and anti-malware software should be implemented and preserved to provide for the interception or recognition and remediation of malware.

Scans Information Assets from Outside the Entity for Malware and Other Unauthorised Software

Procedures should be in place to scan information assets that have been transferred or returned to the entity’s custody for malware and other unauthorised software, and to remove any items detected prior to its deployment on the network.

SOC 2 Hub

More Resource Hub

ISO27001
SOC 2 Controls: CC9 Risk Mitigation
ISO27001
SOC 2 Controls: CC8 Change Management
ISO27001
SOC 2 Controls: CC7 System Operations